CVE-2026-49322
CWE-294Published: May 29, 2026· Updated: May 29, 2026
Official Description
Weak authentication in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with read access to the in-vehicle network to recover the user-set unlock PIN by passively observing a single PIN authentication exchange. The Infotainment Digital Round display computes its response using a non-cryptographic operation rather than a cryptographic challenge-response, so the PIN is mathematically derivable from one captured exchange, defeating the motorcycle's primary user-authentication control. Specific protocol details have been withheld pending vendor remediation.
Technical Analysis
CVE-2026-49322 requires local access, meaning attackers must already have a foothold on the target system.
Exploitation does not require any privileges, though user interaction (Required) is needed, which slightly reduces the risk of mass automated attacks.
A successful exploit results in complete confidentiality breach (data exposure), with a CVSS base score of 4.3.
CVSS v3.1 Vector Breakdown
Exploit & PoC Resources
All References (1)
Quick Facts
Related CVEs (CWE-294)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-49322 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts